Axsis Consultants Limited

Our Services

Security Reviews

Many organisations appreciate the need to put in place appropriate security policies and countermeasures, but may not have had the resources to give it a high priority.

Often the trigger to take some action is a major upgrade of office automation and network infrastructure linking most buildings and staff, since the threats and vulnerabilities increase with inter-linked systems and more widespread user access. This applies even more so if external dial in access or mail gateways are required, let alone Internet access.

This paper discusses some of the considerations that apply in developing an appropriate response. It can be used to assess the priorities for a relatively simple and quick review.

Scope

There is much emphasis in security studies on defining the scope of the "System" being covered, and who the users are. Possibilities include:

• The organisation as a whole, including paper based systems and procedures,
• IT systems, considering all information accessed, stored or transmitted electronically,
• The office automation and network infrastructure,
• Specific application systems, such as the finance system,
• External network and remote access (dial up) interfaces, including gateways and firewalls.

Deliverables

Depending on the scope, and assuming a focus on IT, the deliverables may include one or more of:

1. IT Security Policy , defining in a short high level document the general principles to be followed, plus both management and user or staff responsibilities for the implementation and maintenance of security.
2. Security Review Report , summarising the findings and recommendations of an informal review.
3. Security Risk Assessment , for instance following UK government guidelines.
4. System Security Policies (SSPs) for each system, where the office automation and network infrastructure could be one system and the finance system another. These could follow a formal structure such as that of the UK government guidelines, and consider global, local and electronic security environments. Counter measures are specified with regard access and access control, authentication, accounting and auditing, availability and integrity.
5. CRAMM® Report , following use of the CRAMM software tool as described below.
6. Security Operating Procedures (SyOPs) , defining security responsibilities and administrative procedures for various classes of staff such as system administrators and users.

Related Areas

Related areas sometimes considered along with data security include:

• Availability Requirements for day to day operation, if not specified in a Service Level Agreement.
• An Availability and Resilience Review is sometimes appropriate, if not already covered.
• Disaster Recovery and Contingency Planning may also be a business requirement.

Approach

Once the scope and deliverables have been agreed a plan can be drawn up such as:

1. Stage 1 - Prepare through consultation within the organisation an assessment of the nature of information held and transferred electronically, including for CRAMM (see below) asset valuation and the impact of disclosure, destruction, modification or unavailability of data.
2. Stage 2 - Threat (likelihood) and vulnerability (exposure) assessments.
3. Stage 3 - Security design and risk management proposals, including recommended countermeasures.
4. Stage 4 - Finalisation and presentation of the agreed deliverables, such as an SSP or a Security Review report.

A formal CRAMM approach can be followed to ensure a thorough consideration of all relevant factors. It requires more extensive consultation within the organisation, more formal consideration of threats and vulnerabilities and more extensive consideration of countermeasures. It also produces voluminous reports, which require interpretation before an appropriate policy can be derived and presented to management.

A CRAMM review as such can only be carried out utilising the UK Government sponsored CRAMM tool for the analysis and management of IT security risks.

AXSIS Experience

We have advised many commercial concerns and UK Government departments on office systems and network infrastructure security matters for protectively marked information, including the preparation of approved SSPs. References are available on request. This work included liaising with the appropriate authorities, and advising departments on the use of e-mail gateways, remote access and the feasibility of Internet connection.

Please contact us if you would like to discuss what might be appropriate for your organisation, without any obligation, see our Web security site list or see below for further information.